Is Your VPN Slow? WireGuard Might Be the Fix.
If your VPN disconnects every time you switch from Wi-Fi to mobile data, or if it cuts your internet speed in half, the problem is almost certainly the protocol — not the provider. Most VPNs still default to OpenVPN, which was designed in 2001 and shows its age.
WireGuard is a modern replacement that's faster, smaller, simpler to configure, and handles mobile roaming seamlessly. It's already inside the Linux kernel, used by Mullvad, ProtonVPN, NordVPN, and most VPN providers who care about performance.
This guide explains how WireGuard actually works, how it compares to OpenVPN and IPSec, and whether you should be using it right now.
TL;DR: Use WireGuard for personal VPN servers and most consumer VPN apps. Use OpenVPN if your firewall blocks UDP. Use IPSec for enterprise site-to-site tunnels. For almost everything else, WireGuard wins.
What Makes WireGuard Different
OpenVPN has around 70,000 lines of code. IPSec implementations run into the hundreds of thousands. WireGuard has roughly 4,000 lines. That's not a limitation — that's the point.
Less code means fewer places for bugs to hide. It means the entire implementation can be audited by a single person. It means the kernel integration is practical. And it means the overhead of running the protocol is tiny compared to older alternatives.
Beyond code size, WireGuard made one other radical choice: it has no cipher negotiation. You can't configure WireGuard to use weak encryption because there's nothing to configure. It uses one fixed set of modern algorithms, and if those algorithms ever need to change, WireGuard gets a version bump.
How WireGuard Works: Cryptokey Routing
WireGuard's core idea is called cryptokey routing. Instead of sessions, connection states, or negotiation, it associates public keys with allowed IP addresses.
Every WireGuard peer has a key pair. The private key stays on the device. The public key gets shared with the other end of the tunnel. When a packet arrives at a WireGuard interface, it checks: is there a peer key that can decrypt this? If yes, the packet is accepted. If no, it's silently dropped.
That's the entire access control model. No login. No session token. Cryptographic verification on every packet, automatically.
The Cryptography Inside WireGuard
WireGuard uses four specific algorithms with no alternatives:
- ChaCha20-Poly1305 — symmetric encryption and authentication. Faster than AES in software, which matters on mobile CPUs and cheap routers without hardware AES acceleration.
- Curve25519 — Diffie-Hellman key exchange. Fast, well-analyzed, 128-bit equivalent security.
- BLAKE2s — hashing. Faster than SHA-256 in software.
- SipHash24 — hashtable keys to prevent denial-of-service on routing lookups.
The opinionated choice here is deliberate. With OpenVPN you can misconfigure DES or MD5 if you're not careful. With WireGuard, misconfiguring cryptography is not possible — there's nothing to configure.
The Handshake: 1 Round Trip vs Multiple
When two WireGuard peers connect, the handshake takes exactly one round trip. The initiator sends a message encrypted under the responder's public key. The responder sends back a reply. Both sides have a shared session key and data flows immediately.
OpenVPN's TLS handshake takes several round trips. IPSec's IKEv2 handshake takes at least two. On a connection with 50ms latency, the difference between 1 RTT and 3 RTTs is 100ms of extra startup time — noticeable, especially on mobile where reconnects happen constantly.
WireGuard also generates new ephemeral keys for each session and rotates them automatically every 3 minutes or 2^64 packets. Perfect Forward Secrecy, with zero configuration required.
Why WireGuard Handles Mobile Roaming Better Than Anything Else
This is WireGuard's most practical advantage for everyday users.
Traditional VPNs maintain stateful connections. When your phone switches from home Wi-Fi to LTE — getting a new IP address in the process — the VPN tunnel breaks. OpenVPN needs 10-30 seconds to re-establish. IPSec's MOBIKE extension handles this but requires careful configuration.
WireGuard has no connection state. When a packet arrives from a peer and passes cryptographic verification, it's accepted regardless of the source IP. The peer table updates automatically with the new address. The tunnel just keeps working.
Walk out of your house onto mobile data. WireGuard adapts in milliseconds. Your downloads don't stall. Your SSH sessions don't drop. This isn't marketed as a killer feature, but anyone who uses a VPN on their phone will notice it immediately.
WireGuard vs OpenVPN vs IPSec: Side-by-Side
| Feature | WireGuard | OpenVPN | IPSec / IKEv2 |
|---|---|---|---|
| Code size | ~4,000 lines | ~70,000 lines | Hundreds of thousands |
| Handshake | 1 RTT | Multiple RTTs | Multiple RTTs |
| Reconnect speed | Instant (stateless) | 10-30 seconds | Seconds (MOBIKE helps) |
| Kernel integration | Yes (Linux 5.6+) | No (userspace) | Yes |
| Cipher selection | Fixed, modern only | Configurable (can be weak) | Configurable (can be weak) |
| Mobile roaming | Seamless | Requires reconnect | MOBIKE helps |
| Firewall traversal | UDP only — can be blocked | Can use TCP 443 | UDP 500/4500 |
| Enterprise features | Minimal | Moderate | Extensive |
| Best for | Personal VPN, mobile, speed | Blocked UDP, client certs | Site-to-site, enterprise |
Real Benchmark Numbers
Benchmarks vary by hardware and network, but the pattern is consistent:
- On a 1 Gbps link with a $10/month VPS, WireGuard typically achieves 800-900 Mbps throughput. OpenVPN on the same hardware: 100-200 Mbps. The difference is the kernel vs userspace overhead.
- CPU usage on a mid-range server at 500 Mbps: WireGuard uses roughly 5-10% of a single core. OpenVPN uses 60-80% of a single core.
- Connection setup time: WireGuard averages 20-30ms. OpenVPN averages 200-400ms. IPSec averages 150-300ms.
On mobile devices specifically, the lower CPU overhead translates to measurably better battery life. A WireGuard session drains less battery than an equivalent OpenVPN session because less processing per packet.
How to Set Up WireGuard on a VPS (Quick Overview)
Setting up your own WireGuard server on a cheap VPS takes about 10 minutes. Here's the structure:
Server config (/etc/wireguard/wg0.conf):
[Interface]PrivateKey = <server-private-key>Address = 10.0.0.1/24ListenPort = 51820PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEPostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]PublicKey = <client-public-key>AllowedIPs = 10.0.0.2/32
Client config:
[Interface]PrivateKey = <client-private-key>Address = 10.0.0.2/32DNS = 1.1.1.1
[Peer]PublicKey = <server-public-key>Endpoint = <server-ip>:51820AllowedIPs = 0.0.0.0/0
Generate keys with wg genkey | tee private.key | wg pubkey > public.key. Bring up the interface with wg-quick up wg0. Enable IP forwarding with sysctl -w net.ipv4.ip_forward=1. That's genuinely it.
Compare this to OpenVPN setup: generating a CA, creating server and client certificates, configuring the PKI, writing the server config, building the client config with embedded certificates. For a single user personal VPN, WireGuard is 80% less work.
Test if your WireGuard VPN is actually hiding your IP and not leaking — instant check, no login.
WireGuard vs NordLynx vs Tailscale
NordLynx is NordVPN's implementation of WireGuard. They wrap it in a double-NAT system to handle the static IP logging concern — the WireGuard server never sees a static mapping of your real IP to a VPN IP. It's WireGuard under the hood, with NordVPN's infrastructure on top. If you're already a NordVPN user and NordLynx is available, use it.
Tailscale is WireGuard with a control plane. It handles key distribution, NAT traversal, and device authorization automatically — the hard parts of running WireGuard at scale. Instead of manually copying public keys and configuring endpoints, you install Tailscale, log in, and devices find each other. For teams connecting multiple machines, Tailscale eliminates most WireGuard administration. The underlying encryption is still WireGuard.
Headscale is a self-hosted open-source alternative to Tailscale's control plane. Same idea — WireGuard as the tunneling layer, a coordination service on top — but you run the control plane yourself. Good for privacy-conscious teams who want Tailscale's convenience without the SaaS dependency.
WireGuard Privacy: The Static IP Concern
Traditional VPNs log session start and end times. WireGuard's stateless design means it stores something different: the timestamp of the last received packet from each peer, and the peer's last-seen IP address. There's no session to log — just a live peer table.
For commercial VPN providers, this creates a question. If you connect and the server stores your real IP in the peer table, that's a log. Providers handle this in different ways:
- Mullvad rotates your WireGuard key every 24 hours, wiping the peer table entry with it
- NordVPN's NordLynx uses double-NAT so the WireGuard layer never sees your real IP
- ProtonVPN uses dynamic key assignment tied to authenticated sessions
If you're running your own WireGuard server, this is only relevant if you're specifically concerned about who has access to that server's logs. For personal use, it's a non-issue.
Common WireGuard Mistakes to Avoid
- Forgetting IP forwarding. If client traffic isn't reaching the internet through your server, check
net.ipv4.ip_forward. It defaults to off on most Linux servers. Add it to/etc/sysctl.confto persist across reboots. - Wrong AllowedIPs.
0.0.0.0/0routes everything through the tunnel. Specific subnets route only those networks. Getting this backwards either breaks internet access or bypasses the VPN entirely. - Missing NAT rule on the server. The PostUp iptables masquerade rule is what makes client traffic appear to come from the server's IP. Without it, traffic exits your server with the client's VPN IP as the source, and return traffic has nowhere to go.
- Firewall blocking UDP. WireGuard is UDP only. A firewall rule that only opens TCP on your chosen port will silently block all WireGuard traffic. Confirm the rule explicitly allows UDP.
- Swapping public and private keys. The private key never leaves the device. The public key goes in the remote peer's config. Getting this backwards means the handshake fails with no useful error message.
When WireGuard Won't Work
WireGuard uses UDP only. Some networks — corporate firewalls, hotel networks, certain mobile carriers — block all UDP traffic except DNS. In these environments, WireGuard simply won't connect.
For those scenarios, OpenVPN running on TCP 443 is the standard solution. TCP 443 is HTTPS traffic as far as most firewalls are concerned. Obfuscated OpenVPN or protocols like Shadowsocks take this further for environments with deep packet inspection.
If you're deploying a VPN for users who need to connect from restrictive networks, WireGuard as the primary protocol plus an OpenVPN-on-443 fallback is the standard approach most serious VPN providers use.
Troubleshooting WireGuard Connections
- Tunnel comes up but no traffic flows: Check AllowedIPs on both sides. The client needs
0.0.0.0/0for full tunnel. The server needs the client's WireGuard IP in AllowedIPs. Check the PostUp NAT rule is working withiptables -t nat -L. - Handshake never completes: Confirm the server is listening on the right port with
ss -ulnp | grep 51820. Check the server firewall allows inbound UDP on that port. Verify the server's public key in the client config is correct. - DNS leaking through the tunnel: Set
DNS = <vpn-dns-ip>in the Interface section of the client config. Without this, your system DNS may still use the ISP's resolver, leaking query data outside the tunnel. - High latency through the tunnel: Check MTU. WireGuard's overhead reduces the effective MTU. Setting
MTU = 1420in the Interface section usually resolves fragmentation-related latency on standard broadband.
Frequently Asked Questions About WireGuard
Is WireGuard more secure than OpenVPN?
WireGuard uses modern cryptographic algorithms with no ability to configure weaker options — eliminating a whole class of misconfiguration risk. OpenVPN is configurable, which is flexible but allows mistakes. WireGuard's smaller codebase (4,000 lines vs 70,000) also means a smaller attack surface and easier security auditing. Both are secure when correctly set up. WireGuard is harder to set up incorrectly.
What port does WireGuard use?
WireGuard defaults to UDP port 51820, but you can configure any UDP port. It does not support TCP. If your network blocks UDP, WireGuard will not work — use OpenVPN on TCP 443 as a fallback in those environments.
Why is WireGuard faster than OpenVPN?
Three reasons: WireGuard runs inside the Linux kernel (avoiding context-switching overhead that OpenVPN incurs as a userspace process), ChaCha20-Poly1305 is faster than AES-CBC in software on most hardware, and the 1-RTT handshake has significantly less overhead than OpenVPN's multi-step TLS negotiation.
Can WireGuard be detected or blocked?
Yes. WireGuard's UDP traffic has a recognizable pattern that deep packet inspection can identify. Networks actively blocking VPN protocols can block WireGuard. For restrictive environments, OpenVPN on TCP 443 or obfuscated protocols are harder to block.
Does WireGuard support split tunneling?
Yes, through the AllowedIPs field. Set AllowedIPs = 0.0.0.0/0 for full tunnel (all traffic through VPN). List specific subnets to route only those networks through the tunnel and leave everything else on the local connection. This is how split tunneling is configured in WireGuard.
How does WireGuard handle mobile roaming?
WireGuard is stateless — it has no concept of a connection to break. When your device gets a new IP (switching from Wi-Fi to LTE), the first outgoing packet automatically updates the peer's recorded endpoint. No reconnection process, no dropped sessions. The tunnel just works through network changes.
Is WireGuard good for running a personal VPN on a VPS?
It is excellent for this. A cheap VPS (Hetzner, Vultr, DigitalOcean — $3-6/month) running WireGuard can saturate most home internet connections. Setup takes 10-15 minutes. Performance is 4-5x better than OpenVPN on equivalent hardware. It is the recommended choice for self-hosted personal VPNs.
Does WireGuard have a kill switch?
Not built-in. However, routing all traffic through the tunnel (AllowedIPs = 0.0.0.0/0) means that if the WireGuard interface drops, traffic has no other route and simply stops — which is a basic kill switch effect. Most WireGuard-based VPN clients add explicit firewall rules for a proper kill switch that prevents any traffic from leaking outside the tunnel.
What is the difference between WireGuard and Tailscale?
WireGuard is the tunneling protocol. Tailscale is a product built on top of WireGuard that adds automatic peer discovery, NAT traversal, key distribution, and device management. Tailscale makes WireGuard's mesh networking practical without manual key exchange. The underlying encryption is still WireGuard.
Is my VPN using WireGuard actually hiding my IP?
It should be, but verify it. With your VPN on, check your public IP using a tool like this one. If your real IP (the one your ISP assigned) still shows, either your VPN isn't routing traffic correctly or there's a DNS or WebRTC leak. Always verify rather than assume.
Should You Switch to WireGuard?
If you're on a consumer VPN and WireGuard is available as a protocol option, yes — switch to it. You'll get faster speeds, lower latency, better battery life on mobile, and seamless roaming. There's no downside unless your network blocks UDP.
If you're running your own VPN server, WireGuard should be your first choice for any new setup. The configuration is simpler than OpenVPN, the performance is better, and the security is easier to reason about.
The one case to stick with OpenVPN: when you need TCP 443 compatibility to work through strict firewalls. For everything else, WireGuard is the better protocol.
Check if your VPN is actually hiding your IP right now — instant test, no login, no tracking.